COSO, in collaboration with Deloitte, released this new cyber risk management guidance: "Managing Cyber Risk in a Digital Age" directed at company boards, management, and cyber practitioners based on its widely consulted ERM Framework. The guidance leverages the five risk management components of the ERM Framework - Governance & Culture; Strategy & Objective-Setting; Performance, Review & Revision; Information; Communication, & Reporting - and the 20 supporting principles, with Governance & Culture serving as the foundation.
Along those lines, suggested actions include:
- Boards develop or acquire cybersecurity expertise or advisors with relevant expertise
- Boards oversee the company's cybersecurity strategy, execution and monitoring program, including ensuring appropriate public disclosure of cyber risk factors and/or a material cyber security breach
- Creation of a cross-departmental and cross-functional cyber risk management team that assesses cyber risks based on a framework, develops a cybersecurity management plan and risk mitigation budget, and reports to the board on cyber threats and the associated risk management initiatives
- Focus on cyber security awareness, training, and data loss prevention - with management modeling the desired cybersecurity culture and behaviors
- Involvement of qualified cyber risk professionals, which may consist of in-house or outside expertise
See COSO's release and this WSJ article, and these prior reports: "COSO & Sustainability Council Release ESG-Risk Guidance" and "COSO’s Updated ERM Framework Tackles Demanding Corporate Risk Environment," and numerous additional resources on our Cybersecurity/Data Privacy page. This post first appeared in the weekly Society Alert!